3 years ago

2011 SERC CMEP Implementation Plan - SERC Home Page

2011 SERC CMEP Implementation Plan - SERC Home Page

Section 5:

Section 5: 2011 CMEP Discovery MethodsThe NERC CIP staff worked to identify the appropriate CIP requirements for complianceaudits using a risk assessment that takes into account the necessary use of subjectmatter expertise and the complexity of the CIP Standards. This resulted in a decreaseof requirements for compliance audits. Details are listed in the 2011 Actively MonitoredReliability Standards list.d. COM Reliability StandardsCOM-001 and 002 will be audited for the RCs. The RC function is one of the threecritical functions that require certification. Their ability to perform is determined in largepart by their communications.e. Long-Range Audit PlanA long range (8 year) audit plan was developed to ensure that each entity registeredwithin the SERC region receives a compliance audit on a prescribed schedule.Registered Entities that perform Reliability Coordinator (RC), Balancing Authority (BA),or Transmission Operator (TOP) functions will be audited on a three (3) year periodicityfor those three functions plus any other functions for which the entity is registered.Entities that are not registered as RC, BA, or TOP will typically be audited on a six (6)year periodicity. The annual plan will be updated at least annually to account forchanges in registration and other factors. See Appendix 1.f. Audit Team Composition and EmphasisEach SERC compliance audit will be led by a member of SERC compliance staff. Theaudit team will be composed from SERC compliance staff, other SERC staff members,SERC Registered Entity Industry Subject Matter Experts (ISMEs), and NERC and FERCpersonnel as applicable. All audit team members will operate under approved conflict ofinterest and non-disclosure agreements and will receive requisite training prior to theaudit. Advance notifications will occur as required by the CMEP to allow for auditedRegistered Entity objections to participation of selected team members. The SERCDirector of Compliance will review and act on such objections as appropriate.In 2011, SERC will continue a heavy focus towards “on-site” compliance audits. Inparticular, those entities that have been more recently registered in the SERC region willtypically undergo an on-site audit as one means to promote communication of processesand expectationsAs noted above, all FERC-approved Reliability Standards applicable to the RegisteredEntity based on registered functions are subject to audit. The subset of ReliabilityStandards / requirements designated for audit in the 2011 NERC CMEP ImplementationPlan will serve as the default scope for SERC audits, in addition to any ReliabilityStandards for which a Mitigation Plan has been completed by the Registered Entitywithin the 12 months prior to the date of the audit detail letter. See the NERC 2011Actively Monitored Reliability Standards spreadsheet for the breakdown by requirementof the scope for audits. Additional applicable requirements may be added to audit scopebased on the risk-based and performance criteria set forth in the Reliability StandardsSubject to 2011 CMEP Implementation section above.SERC Compliance Monitoring and Enforcement Program2011 Implementation PlanDecember 1, 2010 (Rev. December 10, 2010) 13

Section 5: 2011 CMEP Discovery Methods2. Self-CertificationFifty-three Reliability Standards are designated for Self Certification in the NERC 2011Implementation Plan with 15 additional Standards included in the SERC 2011Implementation Plan. Registered Entities are required to self-certify to all requirementsof the Reliability Standards listed in Attachment A.SERC has two major filings for annual self-certifications targeted for June 1 and October1. For annual filings, the associated forms are “posted” to the Portal approximately twomonths ahead of the scheduled due date. One exception is an annual filing due January15, 2012 for PER-002 and PER-004 in which the forms are posted 14 days in advanceof the filing deadline. SERC requires at least one individual from each Registered Entityto be identified as an authorized signatory. The authorized signatory is a role whichshould be given to the representative(s) who will be certifying to compliance submittals.Self-certification must be approved by the Registered Entity’s authorized signatory priorto being accepted by SERC. A systematic notification process to the Registered Entity’scompliance contact, with possible escalation of notices to the officer or CEO contact willbe initiated for any late submittals.A reporting period will be defined for each Reliability Standard monitored by selfcertification. The reporting period is a 12 month period of time prior to posting of theform. The self certification will be an attestation by the Registered Entity for all FERCapprovedversions of the Reliability Standard in effect during the defined reportingperiod. The response to the certification should accurately reflect the Registered Entity'scompliance status for the entire reporting period, and is subject to validation by SERCthrough spot check or any other compliance monitoring method.The scheduled filing dates for self-certifications are listed in Appendix 1.a. CIP-002-3 through CIP-009-3 Reliability StandardsAnnual self-certifications for the CIP-002-3 through CIP-009-3 Reliability Standards (CIPStandards) will be conducted by SERC in January 2012 and will cover the period fromOctober 1, 2010 through the earlier of December 31, 2011 or the date Version 3 of theCIP Standards is superseded. However, the issuance of CIP supplementalquestionnaires may be needed as directed by NERC or FERC.Registered Entities to which the CIP Standards apply are required to self-certifyto all requirements of the CIP Standards, even if the applicable Registered Entityhas no Critical Assets. CIP-002-3 R4 6 requires all entities to annually approvetheir risk-based assessment methodology, the list of Critical Assets, and the listof Critical Cyber Assets; even if such lists are null, and CIP-003-3 R2 requires allentities to assign a single senior manager with overall responsibility and authorityfor leading and managing the entity’s implementation of, and adherence to theCIP Standards, even if the entity has determined that it has no Critical CyberAssets. Thus, Registered Entities must affirmatively respond “Compliant” or “NotCompliant”, and should not indicate “Not Applicable”, in its self-certifications for6 Compliance Monitoring and Enforcement Program2011 Implementation PlanDecember 1, 2010 (Rev. December 10, 2010) 14

Compliance Seminar New Orleans - Apr 11-12, 2012 - SERC Home ...
NERC CIP Compliance - SERC Home Page
Edge - Open Forum - Aug 13, 2012 - Paragraph 81.pdf - SERC Home Page
CIP-007 - SERC Home Page
CIP-06 Physical Security of Cyber Assets - SERC Home Page
NERC GADS Introduction to pc-GAR and pc-GAR MT - SERC Home ...
SERC Compliance Seminar - ReliabilityFirst
INPO Overview - SERC Home Page
Frequency Response Initiative Report - SERC Home Page
Planning, implementing, and monitoring, home-based HIV testing ...
RealityCharting e-book .pdf - SERC Home Page
Fife Council Plan 2007 to 2011 - Home Page
NextGen Implementation Plan 2011 - FAA
Compliance Seminar Charlotte - Feb 28-29, 2012 - SERC Home Page
CIP vs Non-CIP - Entergy - SERC Home Page
2012 HHS PHEMCE Implementation Plan - PHE Home
FRCC Fall Workshop 2011 - NERC Presentation
2011 Management Plan Implementation Report - Olympic Coast ...
Leadership for Improvement Plan Implementation - Texas ...
Inuvialuit Research, Planning, Monitoring and Implementation
A Systematic Approach to the Planning, Implementation, Monitoring ...
Making Tracks: Implementation Plan 2009-10 to 2011-12
Action Plan for the Implementation of UNSCR 1325 - PeaceWomen
Implementation Plan - International Living With a Star (ILWS)
Implementation of Community based Home INR ... -
Senthilvel K.-Evolving Trends in GRC Implementation .pdf
Planning, Designing and Implementing Policies to Control - DTIE
Planning and Funding Issues Hindered CBP's Implementation of the ...